Yahoo recently confirmed it was the victim of a large-scale data breach, which left more than 500 million users vulnerable two years ago. Read on to learn more.
Just when you think you can breathe a sigh of relief, we’re told to suck that air back in and brace for the inevitable fallout of what is now being considered the largest confirmed data breach of a single company’s computer network to date. According to officials at Yahoo, hackers gained access to more than 500 million user accounts registered with the technology company two years ago. And because so many people use Yahoo for their email, finances, fantasy sports and so on, everybody is being urged to take action immediately – before the cybercriminals have a chance to exploit the stolen data.
Depending on the type of information you have stored on your user account, there are all kinds of dangers associated with this type of data breach. Yahoo officials confirmed that hackers successfully gained access to user names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions.
If you are one of those people who use the same password across all your online accounts, the recovery process will be difficult. Changing your Yahoo password is only the first step in the recovery process. Because cybercriminals can use the information collected to attempt to log in to other websites, you will also need to comb through your other online accounts to make sure they remain secure.
In the meantime, consider utilizing the following password best practices.
Change your passwords quarterly – especially those that protect your email accounts, domain logins and online banking accounts.
Use passphrases with at least 12 characters consisting of upper and lower case letters, numbers and special characters.
Never share your passphrases with others and, if you enter your passphrase on a public computer, change it once you are able to log on to your account from a secure location.
Use two-step verifications whenever they are available.
Think Before You Click
In addition to maintaining your passwords by taking advantage of the best practices listed above, stay vigilant when it comes to email safety. In particular, consider every unsolicited email and communication you receive as untrustworthy. A single click of the mouse can open up the flood gates and can leave your company’s network vulnerable to a myriad of cyber threats.
By Steve Roth, IT Director (New Philadelphia office)
Check out these article for even more password tips:
If you do decide to store your company’s data on the cloud, be sure to thoroughly investigate the cloud environment you intend on using. Then pay close attention to whether their security controls and processes, including rollover sites or backup and testing procedures, adhere to industry standards. It’s also best practice to request a SOC (Service Organization Controls) SOC Report from your cloud provider. Read on to learn more.
I am regularly asked by clients, friends and family whether they should be concerned with storing their data in a cloud-based environment. My answer: Absolutely.
Even though cloud-based data storage solutions are managed by storage and security professionals (at least hopefully), there’s really no way to determine whether their authentication policies and data security procedures are always in line with industry standards. Because I’m acutely aware of these standards and best practices, I would have a hard time entrusting a cloud-based data storage enterprise with copious amounts of my company’s sensitive information.
At the end of the day, your company’s data and the data you collect is your responsibility. Therefore, your IT team is ultimately responsible for verifying whether it’s properly secured and whether a proper authentication protocol is in place to ensure that those accessing data are approved to do so. When you work with a cloud-based data storage solutions business, your control over data security procedures is significantly limited.
And just because we haven’t heard much about these types of breaches in the past, doesn’t mean they don’t happen. Consider, for example, the latest “mega-breach,” that has affected millions of Dropbox users.
The Dropbox Breach
According to reports, more than 68 million Dropbox user accounts and associated information, including user names and passwords, were discovered online. The company said Dropbox user information stolen by hackers and distributed via the Internet was the result of a previously disclosed data breach from 2012. Unfortunately, the company and the company’s users are still being hurt by this attack. In response, Dropbox said in a statement that it was forcing password resets.
“We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, head of trust and security for Dropbox. “We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password.”
Protect Your Data To Protect Your Company
Most professionals in the data security field – including myself – believe that any and every site can be hacked. Therefore, in an effort to protect our companies and the businesses and individuals we serve, our goal is to provide comprehensive cybersecurity education to all employees while striving to be aware of all data security issues that may have occurred. Hopefully we will know about any data breach long before cybercriminals have a chance to post information on the Internet or before our businesses are notified of an issue by the FBI or Secret Service.
Want to know why data security professionals say that your company’s employees are your weakest link? This video highlights a common security breach method used by hackers to gain access to your company.
You can take a proactive stance against cybercriminals with the following data security protocols.
Don’t just install a firewall, constantly monitor your firewall. Your IT team can constantly monitor your company’s firewall through the use of Security Information and Event Management (SIEM) or Intrusion Detection Systems (IDS) programs. You can also work with an external service provider to provide this essential service.
Passwords are powerful, protect them. Require your employees to use complex passwords to log onto your company’s network and change those passwords regularly. Secondary authentication is also important to use wherever possible.
Don’t wait for disaster to strike – actively defend your company. Routinely test the access controls of your employees. Not all employees require access to all company data. Instead, only grant access to the data your employees need to do their jobs.
Educate, educate, educate. It seems like there are new phishing attempts, ransomware attacks and malware issues every day. But just because you hear that they are happening doesn’t mean your employees are aware. Make sure you keep your employees up to speed. Doing so may just stop them from clicking on a potentially dangerous email.
If, for whatever reason, you do decide to store your company’s data on the cloud, be sure to thoroughly investigate the cloud environment you intend on using. Then, pay close attention to whether their security controls and processes, including rollover sites or backup and testing procedures, adhere to industry standards. It’s also best practice to request a SOC (Service Organization Controls) SOC Report from your cloud provider.
At the end of the day, all you can do is take ownership of your data and be proactive when it comes to verifying the safety and security of your organization’s data. Email Rea & Associates to learn more.
The best thing to remember when it comes to protecting your business, and yourself, from becoming a victim of fraud is that if something seems a little out of the ordinary, it’s worth checking out before you act. Read on to learn about the newest threat to your identity.
Over the last few years, the threat of refund fraud and identity theft has become a very real concern, and criminals have proven that they will go to great lengths to get the information they need to complete their scams. This recent phishing scam is no exception.
The IRS recently alerted payroll and human resources professionals of an “emerging phishing email scheme that purports to be from company executives and requests personal information on employees.” The scam has already claimed several victims.
IRS Commissioner John Koskinen said that this particular tactic appears to be “a new twist on an old scheme.” These cyber criminals are using the cover of tax season to trick people into sharing confidential data.
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond,” said Koskinen. “Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
According to the IRS, a criminal investigation is already in place and several cases in which people have been tricked into sharing social security numbers and other sensitive information with criminals are being reviewed. Officials report that criminals regularly use the stolen personal information to file fraudulent tax returns for refunds.
Remind Employees To Remain Alert
To avoid becoming a victim of this particular scam, encourage your employees to pay close attention to emails that contain the following information:
The actual name, title and contact information of somebody in the company
o Oftentimes, criminals will use the name of the company’s CEO to enhance the message’s legitimacy.
A request to provide sensitive information, including:
o The names of employees along with their Social Security Numbers, date of birth, address, and/or salary
o A PDF of an individual’s 2015 W-2 or an earnings summary of all the company’s W-2s.
Other Scams Abound For Businesses, Individuals
Unfortunately, businesses appear to have seen an increase of cyber attacks – especially over the last year. Last June, the Financial Services Information Sharing and Analysis Center, the FBI and the United States Secret Service issued a fraud alert in response to a scam dubbed the “Business Email Compromise,” in which fraudsters compromise “legitimate business email accounts for the purpose of conducting an unauthorized wire transfer.”
Also, in response to a nearly 400 percent increase in phishing and malware incidents so far during this tax season, the IRS also renewed its wider consumer alert for email schemes. These emails are designed by scammers to trick taxpayers into believing they are being sent directly from the IRS, other tax industry professionals and/or software companies.
The best thing to remember when it comes to protecting your business, and yourself, from becoming a victim of fraud is that if something seems a little out of the ordinary, it’s worth checking it out before you act.